Method of access by a telecommunications terminal to a database hosted by a service platform that is accessible via a telecommunications network

ABSTRACT

A method enabling a telecommunications terminal to access a database hosted by a service platform that can be accessed via a telecommunications network. The method includes: transmitting, to a second terminal associated with a mobile identifier of a second telecommunications network, information representing a request for the first terminal to access the database; in the second terminal, sending a response to the access request to an authentication server of the platform; in the authentication server, when a response to the access request is received, verifying the mobile identifier of the second network, and optionally validating the access of the first terminal to the database depending on the outcome of the verification.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation application of U.S. patentapplication Ser. No. 14/368,218, filed Jun. 23, 2014, which is a Section371 National Stage Application of International Application No.PCT/FR2012/052953, filed Dec. 17, 2012, which is published as WO2013/093314 on Jun. 27, 2013, not in English; the contents of which arehereby incorporated by reference in their entireties.

FIELD OF THE DISCLOSURE

The invention relates generally to the field of telecommunications andmore specifically to access by various telecommunications terminals todata stored by a server on a telecommunications network.

The present invention is particularly applicable to a system called‘cloud computing’, i.e. a computer system that enables individuals tostore their personal data on servers, but also enterprises that do nothave their own servers to store their data on servers that they lease;the latter thus delegate their computing and storage operations toproviders benefiting from computing infrastructures dispersed throughoutthe entire world and interconnected via a network. Access to this ‘cloudcomputing’ usually takes place via the Internet, and in this context aprivate user or a company employee accesses his/her applications anddata hosted on a remote server through a ‘virtual office’, via anyterminal connected to the network.

BACKGROUND OF THE DISCLOSURE

Thus in general, users connect to a server or service platform hosting adatabase containing their personal data—e.g. photos, videos, documents,etc.—from a computer terminal, such as a personal computer, in which aweb page is downloaded for accessing an entry portal to the serviceplatform, or from a software application previously installed on thecomputer terminal considered. By way of examples, such ‘cloud’ storageservices for computer data are provided by companies such as Dropbox(Dropbox™, on-line file storage and sharing) or Google (Picasa WebAlbum™, photo management on the web).

For connecting to their personal space on the network, in thetraditional way users enter a user identifier (login) and a passwordfrom their terminal connected to an IP (Internet Protocol) network.After the server verifies their identity, users access their personaldata environment. Users can thus connect to their personal dataenvironment hosted by the service platform from various computerterminals connected to the Internet in a fixed way (PC, for example) oron the move (smartphone, tablet computer, etc.).

In this context, each time users want to change computer terminal forconnecting to their personal space, they must restart the connectionprocedure with identifier and password from the new terminal. Inaddition, if the aforementioned users wish to give access to their dataenvironment to remote third-party users, equipped with their ownterminal, they must pass on their personal identification data to thesethird-party users.

SUMMARY

A first aspect of the present invention relates to a method of access bya first telecommunications terminal to a database hosted by a serviceplatform that is accessible via a telecommunications network. Inaccordance with the invention this method in general comprises:

(A)—transmitting to a second terminal associated with a subscriberidentifier of a second telecommunications network, informationrepresentative of a request from the first terminal to access thedatabase;

(B)—in the second terminal, sending a response to the access request toan authentication server of the platform;

(C)—in the authentication server, when a response to the access requestis received, verifying the identifier of the subscriber to the secondnetwork, and validating or not validating access to the database by thefirst terminal according to the result of the aforementionedverification.

According to the method of the invention, defined above in generalterms, access of the first terminal to the service platform database isconditioned by the authorization received from a secondtelecommunications terminal, e.g. a smartphone, of which the subscriberidentifier—in practice the phone number (MSISDN number) stored in theSIM card of the phone, when this second phone is a mobile phoneterminal—is authenticated by the authentication server.

In practice, when the second terminal is a mobile phone, the user of thesecond terminal owning the personal data stored on the network can thusquickly and simply authorize access to his/her personal data to anotherterminal with his/her mobile phone. Indeed, the MSISDN (Mobile StationISDN Number) stored in the SIM (Subscriber Identity Module) card of themobile phone is deducible from the response to the access request, thenis authenticated in the server, which reliably ensures the origin of theresponse to the access request.

According to a particular embodiment of the invention, the first andsecond telecommunications terminals are connected to the samecommunications network. In this case the communications network foraccess to the service platform and the aforementioned secondcommunications network are one and the same network. For example, thefirst and second terminals may both be mobile terminals connected to thesame mobile phone network.

According to a first embodiment of the invention, step (A) of theaforementioned method includes:

(a1)—in the first telecommunications terminal, generating a request foraccess to the database, the request including information identifyingthe subscriber to the second telecommunications network, and sending theaccess request to the authentication server of the platform;

(a2)—in the authentication server, determining the secondtelecommunications terminal from the subscriber identificationinformation retrieved from the access request received, thentransmitting to the second terminal a request for authorizing access ofthe first terminal to the database.

In this embodiment, it is the authentication server that determines thesecond terminal (the mobile terminal) from the subscriber identificationinformation. According to a particular feature of this embodiment, step(A) includes a preliminary operation of loading and displaying in thefirst terminal a web page for access to the authentication server of theservice platform, the access request to the authentication serverfollowing a command from the user of the first terminal transmitted viasaid web page.

For example, the command from the user of the first terminal may simplybe entering on the keyboard of the first terminal the phone number ofthe user of the second terminal. It is therefore not necessary for thefirst user to enter an identifier and a password as is the case in mostof the known prior art applications.

According to another feature of the invention, the aforementioned step(B) of the method of access according to the invention includes:

(b1)—notification of the request for authorizing access in the secondterminal; and

(b2)—following an action by a user of the second terminal performed bymeans of a human-machine interface of the second terminal, sending tothe authentication server a response to the request for authorizingaccess.

Thus, as disclosed above, in this first embodiment, it is theauthentication server which acts as an intermediary between the user ofthe first terminal and the user of the second terminal, the owner of thedata which the first user wishes to access. This embodiment is thusparticularly suited to the situation in which the first and second usersare remote from each other. In this context, access to the database bythe first terminal can be used, for example, to run an application forsharing data from the database, the implementation whereof is validatedby the user of the second terminal at the request of the user of thefirst terminal.

According to a feature of embodiment, still in the embodiment disclosedabove, the method according to the invention includes the display in thesecond terminal of a graphical interface displaying information relatingto access requests and to the state of connection with the serviceplatform for a predetermined set of telecommunications terminals.

Thanks to this arrangement, the user of the second terminal has aneffective and simple-to-use means for delivering then controllingaccess, by third-party users, to the data in the user's personal dataspace in the service platform.

According to a particular embodiment, for a predetermined set of firstterminals identified in a list stored in the second terminal, a responseto the access request received is automatically sent by the secondterminal to the authentication server. For example, this response may besent automatically after a predetermined duration (time delay) withoutany intervention by the user.

Thus, the second terminal automatically transmits a response to theauthentication server without any intervention by the user of the secondterminal, for a considered terminal in the list. For example, if thesecond terminal is a mobile phone and the first terminal is a tabletcomputer belonging to the same user, the latter is thus spared thevalidation step by sending a response to the authentication server, whenthe tablet is identified in the list.

According to a variant embodiment, the aforementioned list of firstterminals is stored in the authentication server, the step (a2) oftransmitting to the second terminal a request for authorizing access ofthe first terminal to the database is then not implemented when thefirst terminal is identified as being a terminal in the list, access ofthe first terminal to the database being automatically validated by theauthentication server.

According to a second embodiment of the inventive method, which can beadvantageously combined with the first embodiment disclosed above, themethod includes a preliminary operation of loading and displaying in thefirst terminal a web page for access to the authentication server of theplatform, and in which the web page for access to the authenticationserver of the service platform, displayed on a screen of the firstterminal, represents a two-dimensional code automatically generated bythe authentication server when the web page is downloaded; step (A) oftransmitting information representative of a request for access to thedatabase from the first terminal to the second terminal then consists intransmitting this two-dimensional code to a software applicationinstalled in the second terminal.

In particular, in this embodiment, in step (B), the response to theaccess request sent from the second terminal to the authenticationserver includes the aforementioned two-dimensional code. Theauthentication server then compares the code received with the codegenerated initially.

According to a preferred embodiment, the second telecommunicationsnetwork is a mobile phone network, and the second terminal is a mobilephone of the smartphone type.

In this second embodiment, the transmission of the access request takesplace directly from the first terminal to the second terminal, e.g. bythe second terminal photographing the code displayed on the screen ofthe first terminal. It will then be appreciated that this embodiment isparticularly suited to the situation in which the two terminals arelocated close to one another, e.g. in the same room. In this context,access to the database by the first terminal can be used, for example,to run an application for forwarding data display, from the secondterminal to the first terminal, in the case, for example, where thefirst terminal has more extensive display capabilities than those of thesecond terminal. Of course, according to this second embodiment, theuser of the first terminal and the user of the second terminal may bethe same person.

According to a second aspect, the subject matter of the presentinvention is a telecommunications terminal including:

-   -   means of receiving information representative of a request from        a first telecommunications terminal to access a database hosted        by a service platform on a telecommunications network;    -   means of generating and sending a response to the access request        to an authentication server of the service platform in order to        verify a subscriber identifier of a second telecommunications        network to which said telecommunications terminal is connected,        and to validate access to the database by the first terminal        according to the result of verifying the subscriber identifier.

According to a particular feature, such a telecommunications terminalaccording to the invention further comprises human-machine interfacemeans suitable for notifying a terminal user of the aforementionedinformation representative of the access request, and sending a responseto the access request to an authentication server, following an actionby the user performed via the human-machine interface.

According to another feature of such a telecommunications terminal, thelatter comprises graphical interface means suitable for displayinginformation relating to access requests and to the state of connectionwith the service platform for a predefined set of telecommunicationsterminals.

Thus the user of a (second) terminal according to the invention, the‘owner’ of the data, may advantageously keep control of the connectionsin progress with the database for a predefined set of user terminals. Inparticular, the user of the terminal according to the invention willhave, via the graphical interface, the possibility of interrupting aconnection in progress between a first terminal among the predefined setof terminals, and the database.

According to a particular embodiment such a telecommunications terminalcomprises means for receiving and reading a two-dimensional codetransmitted by the first terminal, this code being representative of arequest for access to the database by the first terminal. In thisembodiment, the response to the access request sent to an authenticationserver includes the two-dimensional code.

According to a third aspect, the subject matter of the present inventionis an authentication server for implementing a method of access to adatabase, as briefly disclosed above, this server including:

-   -   means of receiving a response to a request from a first        telecommunications terminal to access the database, from a        mobile phone terminal according to the invention; and    -   means of verifying a subscriber identifier of a mobile phone        network following the reception of the response to an access        request, and validating access to the database by the first        terminal according to the result of said verification.

It will be appreciated that such a server is particularly suited to amethod of access to a database, as briefly disclosed above in thecontext of the first embodiment.

Moreover, such a server according to the invention comprises:

-   -   means of receiving a request for access to the database from the        first terminal, the request including information identifying a        subscriber to a mobile phone network;    -   means of determining a second telecommunications terminal from        the subscriber identification information retrieved from the        access request received; and,    -   means of transmitting to the second terminal a request for        authorizing access of the first terminal to the database.

Finally, according to a last aspect, the subject matter of the inventionis a software module intended to be incorporated into atelecommunications terminal according to the invention, as brieflydisclosed above, or intended to be incorporated into an authenticationserver according to the invention, as briefly disclosed above. Such asoftware module comprises program instructions the execution whereof bya computer processor is used to implement the steps of a method ofaccess to a database, according to the invention, which are executed, asthe case may be, in a telecommunications terminal according to theinvention or in an authentication server according to the invention.

Furthermore, such a software module may use any programming language,and include programs in the form of source code, object code, orintermediate code between source code and object code, such as in apartially compiled form, or in any other desirable form.

Accordingly, the invention is also aimed at a medium for recordinginformation readable by a computer, and comprising computer programinstructions. Such a recording medium may also consist of any entity ordevice capable of storing such a program. For example, the medium maycomprise a storage means, such as a ROM, e.g. a CD ROM or amicroelectronic circuit ROM, or a removable recording means, such as aUSB stick or a magnetic recording means, such as a hard disk. On theother hand, a software module according to the invention may inparticular be downloaded from an Internet type network.

The advantages provided by a telecommunications terminal, anauthentication server, a software module, as briefly defined above, areidentical or contribute to those mentioned above in relation to themethod of access to a database, according to the invention, andaccordingly will not be recalled here.

BRIEF DESCRIPTION OF THE DRAWINGS

Other features and advantages of the present invention will emerge fromthe following detailed description, which makes reference to theaccompanying drawings in which:

FIG. 1 illustrates a telecommunications system in which the invention isimplemented, and in particular illustrates the functional elementsincorporated respectively into a telecommunications terminal and into anauthentication server, according to the invention;

FIG. 2 shows in flowchart form the main steps of a method of access by atelecommunications terminal to a database hosted by a service platform,according to the invention; and

FIG. 3 illustrates an example of message exchanges between the variouselements of the telecommunications system in FIG. 1, for implementing amethod of access to a database, according to the invention.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

FIG. 1 illustrates a telecommunications system in which the invention isimplemented. As shown in FIG. 1, a first telecommunications terminal T1is connected to the telecommunications network NW consisting here of anInternet type of IP network. The terminal T1 in this example ofembodiment is a personal computer, but it may be a digital ortouch-sensitive tablet computer, or a smartphone connected to theInternet.

The system also includes a service platform PTF connected to the networkNW, which offers various services such as the storage of personal data‘in the cloud’ (cloud storage)—e.g. multimedia documents such as videos,photos, text documents, etc. The service platform PTF includes anauthentication server AUTH associated with a database DB of serviceusers, and a data server SVR storing the personal data of registeredusers of the personal data storage service.

The user database (DB), associated with the authentication server,contains for each user of the service platform a stored list or a tablecontaining a data storage service user or subscriber identifier—e.g. auser name—associated with at least one phone network subscriberidentifier or a terminal identifier, e.g. a mobile phone number, a fixedIP phone number, an IP address. Moreover, such a user table mayadvantageously include another communication identifier, such as anemail address. Thus, the user of a terminal T1 may use an email addressas a user identifier for enabling the authentication server to identifya registered user in the user database (DB) and then to determine aterminal (T2) associated with the identified user.

The system shown also includes a second telecommunications terminal, T2,connected to the network NW. In the example of embodiment described andillustrated, the terminal T2 is a smartphone type of mobile phone. Themobile phone T2 is shown in FIG. 1 connected to the network NW forsimplifying the disclosure. However, the terminal T2 may in practice beconnected to the network NW through an access network, e.g. a WiFinetwork, or through a third generation mobile network (UMTS) (connectionin data mode).

As shown in FIG. 1, the mobile terminal T2 in particular includes thefollowing functional modules:

-   -   An input/output communication module, denoted by ‘I/O’ and        intended for communicating with the network NW.    -   An operating system module, OS2, e.g. Google's Android™        operating system, handling the interaction between the various        modules and the processor (not shown) of the terminal T2.    -   A display device associated with a (touch-sensitive or        mechanical) keyboard ‘SCR/KB’.    -   A memory module MEM2 in which a software application or module        APP2 according to the invention is stored.

The module I/O is used in particular to receive informationrepresentative of a request from the first telecommunications terminalT1 to access the personal data of the user of the terminal T2 stored inthe server SVR of the service platform PTF, then to communicate thisinformation to the application APP2.

The application APP2 includes program instructions suitable forgenerating a response to the access request, then transmitted to the I/Omodule which in turn transmits it to the authentication server AUTH,through the network NW.

The application APP2 of the terminal T2 also includes instructions theexecution whereof produces a human-machine interface—in practice agraphical interface displayed by the screen SCR of the terminal—viawhich the user of the terminal T2 receives notification of informationrepresentative of the access request, and enables the user to send aresponse to the access request to the authentication server.

In the mode of embodiment presented, the graphical interface produced bythe application APP2 is suitable for displaying information relating toaccess requests and to the state of connection with the service platformPTF for a predetermined set of telecommunications terminals. This set ofterminals may include other terminals of the main user of the terminalT2 (a mobile terminal in the illustrated mode of embodiment), such as,for example, a tablet computer or a home PC, or telecommunicationsterminals belonging to the persons chosen by the user of the terminal T2(e.g. friends or family members).

According to a particular embodiment, the terminal T2 further includes amodule for reading a two-dimensional code, integrated into or associatedwith the application APP2, and which in particular can be used to read atwo-dimensional code transmitted by the first terminal T1, which codebeing representative of a request for access to the database by theterminal T1.

In this embodiment, a response to an access request transmitted by theterminal T2 to the authentication server includes such a two-dimensionalcode, the authentication server then comparing the code received withthe code generated initially. In practice such a two-dimensional codemay consist of a two-dimensional bar code such as a QR code.

According to a variant embodiment a terminal T2 according to theinvention may be equipped with an NFC tag reader intended to read an NFC(Near Field Communication) tag, fitted into and programmed by theterminal T1.

Still in FIG. 1, the authentication server AUTH of the service platformPTF correlatively comprises the following functional modules:

-   -   An input/output communication module, denoted by ‘I/O-A’ and        intended for communicating with the network NW and receiving a        request for access to the database from the first terminal T1,        this access request including identification information for a        registered user of the services provided by the service platform        PTF. In the embodiment described, this user identification        information is identification information for a subscriber to a        second telecommunications network—here a mobile phone network,        the identification information being, for example, the phone        number associated with the SIM card incorporated into the        terminal T2. The I/O-A module is also responsible for        transmitting to the second terminal T2, identified thanks to the        aforementioned identification information, a request for        authorizing access of the first terminal T1.    -   An operating system module, OS-A, handling the interaction        between the various modules and the processor (not shown) of the        server.    -   A memory module MEM-A in which a software application or module        APP-A according to the invention is stored, the program        instructions whereof when they are executed by a processor (not        shown) of the server AUTH are used to implement the steps of the        method of access according to the invention which are        implemented in the authentication server. In particular, the        software module APP-A is designed for verifying an identifier of        a second terminal T2—i.e. in the embodiment described, a        subscriber identifier (phone number) of a mobile phone        network—following the reception of a response to an access        request, from the terminal T2; and for validating or not        validating access to the database (SVR) by the first terminal T1        according to the result of the aforementioned verification.

FIG. 2 shows in flowchart form the main steps of the method of access bya telecommunications terminal T1 to a database SVR hosted by a serviceplatform PTF.

As shown in FIG. 2, the method according to the invention begins withstep E10 in the course of which the terminal T1, connected to theInternet, loads a web page for access to the authentication server AUTHof the service platform, e.g. an address of the type‘cloudphone.orange.fr’. The user of the terminal T1 knows at least onecommunication identifier for identifying the owner of the data that theuser wishes to consult, e.g. a photo album. This communicationidentifier may be an email address, a fixed phone number, a mobile phonenumber or a person's name.

The user of the terminal T1 enters this identifier on the terminalscreen, in a dedicated field of the web page. Assuming that thisidentifier is an email address, a data access request is then generated,which includes the identification information consisting of the emailaddress of the owner of the data. The access request is then sent to theauthentication server AUTH.

In the following step, E12, the authentication server receives theaccess request from the terminal T1, retrieves the identificationinformation of a person, in this example an email address, and consultsthe user database DB with this email address as the input parameter, forobtaining at least one subscriber identifier of a communicationsnetwork. In this example, the server AUTH obtains a mobile phone number.The authentication server then transmits to the mobile terminal T2corresponding to the mobile phone number obtained, a request forauthorizing access representative of the request from the first terminalto access the personal data of the person identified by theaforementioned mobile phone number, in the user database DB of theservice platform PTF.

In the next step, E14, in the mobile terminal T2, the request forauthorizing access is received by the application APP2 and notified tothe terminal user, e.g. by a specific tone. According to variantembodiments, the notification to the terminal T2 of the request forauthorizing access may be performed by sending an SMS or MMS typemessage, or by a phone call automatically initiated by an interactivevoice server controlled by the authentication server. Once the requestfor authorizing access is notified to the user of the second terminal,the latter may then initiate, via the graphical user interface displayedby the application APP2 of the terminal T2, the sending of a response tothe request for authorizing access, to the authentication server AUTH.

As disclosed earlier in the description, according to an advantageousmode of embodiment of the invention, the owner of the data to be sharedand user of the terminal T2 has the possibility of predefining a list ofterminals T1, stored in the terminal T2 or accessible on the network bythe application APP2 of the terminal T2, for which a favorable responseto the access request received is automatically sent by the secondterminal to the authentication server. According to a variant embodimentwhich may be combined with the previous one, such a predefined list ofterminals may be stored in the authentication server, in which case thestep of transmitting a request for authorizing access to the terminal T2is not implemented for the terminals identified in the aforementionedlist.

In step E16, when the authentication server AUTH receives a response tothe authorization request from the terminal T2, it analyzes the responseand validates or does not validate access to the database by the firstterminal according to the content of the response.

If access is validated, a data consultation session is establishedbetween the terminal T1 and the data server SVR. The application APP2 ofthe second terminal T2 displays a graphical user interface showing thestatus of the consultation session between the terminal T1 and the dataserver SVR, and the user of the terminal T2 thus has the possibility ofcontrolling the session in progress.

In the second mode of embodiment presented earlier in the description,in the terminal T1, the web page for access to the authentication serverof the service platform causes the display of a two-dimensional codeautomatically generated by the authentication server when the web pageis downloaded. Step E12 in FIG. 2 is therefore ‘short-circuited’ sincethe two-dimensional code is transmitted directly from the first terminalT1 to the second terminal T2, e.g. by the code being photographed by theterminal T2. In this case, the response to the request for authorizingaccess, generated by the terminal T2 in step E14, includes thephotographed code.

In practice, in the embodiments disclosed here, the exchanges betweenthe terminals T1 and T2 and the server AUTH are implemented by commandsusing the known language XML (Extensible Markup Language) andtransmitted according to the known communication protocol HTTP(HyperText Transfer Protocol).

FIG. 3 illustrates an example of message exchanges between the variouselements of the telecommunications system in FIG. 1, for implementing amethod of access to a database, according to the first and secondembodiments of the invention. In FIG. 3, the references ‘T1-U1’, ‘T2-U2’and AUTH and the corresponding vertical lines indicate the actionsimplemented respectively in the terminal T1 the user of which is U1, theterminal T2 the user of which is U2, and in the authentication serverAUTH. FIG. 3 thus illustrates an example of a process of access by auser U1 of the terminal T1 to personal data, stored in the serviceplatform (PTF), of a user U2 of the terminal T2.

The process begins with the sending of a message m1 from the terminal T1to the server AUTH, which message m1 contains a request for a secretcode from the terminal T1 to the server AUTH, of the form getSecret(T1),for example. In return the server AUTH transmits to the terminal T1 amessage m2 containing a secret code randomly generated in the server.The message m2 contains a command of the form setSecret(secret), forexample, where secret is the secret code. The preliminary exchange of asecret code between the server AUTH and the terminal T1 is thus used tofurther secure the method of access according to the invention.

Then, as shown in E30, after the terminal T1 has received the secretcode, the latter is displayed on the terminal T1 and in parallel, anelement, readable by an external device, containing the secret code andan identifier of the terminal T1 (e.g. its IP address), is produced inthe terminal T1. This ‘readable’ element is, for example, a bar codesuch as a QR code or an NFC tag. Two cases are then to be considered,the case ‘M1’ corresponding to the first embodiment disclosed above, orthe case ‘M2’ corresponding to the second embodiment disclosed above.

According to the first embodiment (M1), the user U1 of the firstterminal T1 initiates, via the web page for access to the server AUTH,the transmission of a message m3 containing the data access request, tothe server AUTH, the access request including an identifier of the userU2 (e.g. a mobile phone number). The message m3 contains a command ofthe form getAccess(T1, U2, secret), for example.

Following the reception of the message m3, the server AUTH determinesthe terminal T2 and sends it a message m4 containing a request forauthorizing access of the terminal T1 to personal data of the user U2.This message m4 contains a command of the form getAccess(T1, secret),for example.

Following the reception of the message m4 in the terminal T2, accordingto the example of exchanges disclosed, as shown by the box E32, the userU2 having received the secret code (e.g. a four-digit code) enters intocontact with the user U1 for verifying that the user U1 is in possessionof the secret code, and therefore that the access request from theterminal T1 is truly genuine. This placing in contact of the user U2with the user U1 may be carried out via voice communication, e.g. whenthe terminals T1 and T2 are geographically remote from each other, orvia an oral communication when the terminals are close to each other (inthe same room, for example), and the users U1 and U2 are different.

The optional operation above of verifying the secret code can be used inparticular to ensure that the access request has not been sent by ahacker stealing the identity of the terminal T1.

If the terminal T1 is properly authenticated by the user U2, the user U2initiates in the terminal T2 the sending to the destination server AUTHof a message m5 containing a favorable response to the authorizationrequest contained in the message m4, e.g. a command of the formsetAutorisation(T1, U2, secret).

In response, the server AUTH sends a message m6 to the terminal T1, themessage m6 containing a digital authorization key enabling the terminalT1 to unlock access to the data that the user U1 wishes to consult andwhich are stored in the data server SVR of the service platform PTF. Themessage m6 contains a command of the formsetAutorisation(autorisationKey), for example. The terminal T1 havingreceived the authorization key or token, access by the terminal T1 tothe data of the user U2 is then authorized (box E34) subject to thesubmission by the terminal T1 of the token to the authentication serverAUTH; the user U1 may then consult the personal data of the user U2.

Still in FIG. 3, according to the second embodiment (M2) of theinvention, disclosed above, following the downloading of the web pagefor access to the service platform, a readable element containing thesecret code and the identifier of the terminal T1 is produced in theterminal T1 in the form of a bar code or an NFC tag programmed in theterminal T1. In this embodiment the terminal T2 located close to theterminal T1 and with a suitable reading device reads the secret codeprovided by the terminal T1 (represented by the arrow m7). Following thereading of the secret code, the computer application APP2, according tothe invention, with which the terminal T2 is equipped, thenautomatically transmits to the authentication server AUTH the messagem8, which contains a favorable response to the authorization requestobtained by the terminal T2 reading (arrow m7) the aforementioned‘readable’ element, produced in the terminal T1. The message m8 containsa command of the form setAutorisation(T1, U2, secret), for example.

Finally, just as for the first mode of operation, in response to themessage m8, the server AUTH sends a message m9 to the terminal T1, themessage m9 containing a digital authorization key enabling the terminalT1 to unlock access to the data that the user U1 wishes to consult andwhich are stored in the data server SVR of the service platform PTF. Themessage m9 contains a command of the formsetAutorisation(autorisationKey), for example. The terminal T1 havingreceived the authorization token, access by the terminal T1 to the dataof the user U2 is then possible (box E36) subject to the submission bythe terminal T1 of the authorization token to the authentication serverAUTH, the user U1 may then consult the personal data of the user U2.

An exemplary embodiment of the present invention aims at improving thesituation explained above in the background section in particular byenabling a user to use any terminal connected to the Internet foraccessing personal data stored in the ‘cloud’ in improved conditions ofsecurity and convenience in use.

Although the present disclosure has been described with reference to oneor more examples, workers skilled in the art will recognize that changesmay be made in form and detail without departing from the scope of thedisclosure and/or the appended claims.

1. A method of access by a first telecommunications terminal to adatabase hosted by a service platform that is accessible via a firsttelecommunications network, wherein the method includes acts of:(A)—transmitting to a second telecommunications terminal associated witha subscriber identifier of a second telecommunications network,information representative of a request from the first terminal toaccess the database; (B)—in the second terminal, sending a response tosaid access request to an authentication server of said platform; and(C)—in the authentication server, when a response to the access requestis received, verifying the identifier of the subscriber to said secondnetwork, and validating or not validating access to the database by thefirst terminal according to the result of said verification; said methodfurther including a preliminary operation of loading and displaying inthe first terminal a web page for access to the authentication server ofsaid platform, and in which: said web page for access to theauthentication server of the service platform, displayed on a screen ofthe first terminal, represents a two-dimensional code automaticallygenerated by the authentication server when said web page is downloaded;and step (A) of transmitting information representative of a request foraccess to said database from the first terminal to the second terminalcomprises transmitting said two-dimensional code to a softwareapplication installed in the second terminal.
 2. The method as claimedin claim 1, in which step (A) includes: (a1)—in the firsttelecommunications terminal, generating a request for access to thedatabase, said request including information identifying said subscriberto the second telecommunications network, and sending the access requestto the authentication server of the platform; and (a2)—in theauthentication server, determining the second telecommunicationsterminal from said subscriber identification information retrieved fromthe access request received, then transmitting to the second terminal arequest for authorizing access of the first terminal to the database. 3.The method as claimed in claim 2, in which step (B) includes:(b1)—notification of the request for authorizing access in the secondterminal; and (b2)—following an action by a user of the second terminalperformed by means of a human-machine interface of the second terminal,sending a response to the request for authorizing access to theauthentication server.
 4. The method as claimed in claim 2 which thefirst telecommunications network is an Internet type network, and inwhich step (A) includes a preliminary operation of loading anddisplaying in the first terminal a web page for access to theauthentication server of said platform, the access request to theauthentication server following a command from the user of the firstterminal transmitted via said web page.
 5. The method as claimed inclaim 2, including the display in the second terminal of a graphicalinterface displaying information relating to access requests and to thestate of connection with the service platform for a predetermined set oftelecommunications terminals.
 6. The method as claimed in claim 2, inwhich, for a predetermined list of first terminals identified in a liststored in the second terminal, a response to the access request receivedis automatically sent by the second terminal to the authenticationserver.
 7. The method as claimed in claim 2, in which, for apredetermined list of first terminals identified in a list stored in theauthentication server, the step (a2) of transmitting to the secondterminal a request for authorizing access of the first terminal to thedatabase is not implemented when said first terminal is identified asbeing a terminal in said list, access of the first terminal to thedatabase being automatically validated.
 8. The method as claimed inclaim 1, in which, in step (B), the response to the access request sentby the second terminal to the authentication server includes saidtwo-dimensional code, the authentication server then comparing the codereceived with the code generated initially.
 9. An authentication serverfor implementation of a method of access by a first telecommunicationsterminal to a database hosted by a service platform that is accessiblevia a first telecommunications network, said server including: aprocessor; and a non-transitory computer-readable medium comprising asoftware module stored thereon, the software module comprising programinstructions, the execution of which by the processor causing theauthentication server to perform acts comprising: receiving a responseto a request from a first telecommunications terminal to access saiddatabase from a second telecommunications terminal; and verifying asubscriber identifier of a second telecommunications network followingthe receiving of said response to an access request, and validatingaccess to the database by the first terminal according to the result ofsaid verification; providing access to said authentication serverthrough a preliminary operation of loading and displaying in the firstterminal a web page; automatically generating a two-dimensional codewhen said web page is downloaded, said two-dimensional code beingrepresented by said web page, displayed on a screen of the firstterminal, for access to the authentication server of the serviceplatform, so that transmitting information representative of saidrequest for access to said database from the first terminal to thesecond terminal includes transmitting said two-dimensional code to asoftware application installed in the second terminal.
 10. Theauthentication server as claimed in claim 9, wherein execution of theprogram instructions by the processor further causes the authenticationserver to perform acts comprising: receiving a request for access to thedatabase from the first terminal, said request including informationidentifying a subscriber to a second telecommunications network;determining a second telecommunications terminal from said subscriberidentification information retrieved from the access request received;and, transmitting to the second terminal a request for authorizingaccess of the first terminal to the database.
 11. At least onenon-transitory computer-readable medium comprising at least one softwaremodule stored thereon and comprising program instructions the executionthereof by at least one computer processor implementing a method ofaccess by a first telecommunications terminal to a database hosted by aservice platform that is accessible via a first telecommunicationsnetwork, wherein the method includes acts of: (A)—transmitting to asecond telecommunications terminal associated with a subscriberidentifier of a second telecommunications network, informationrepresentative of a request from the first terminal to access thedatabase; (B)—in the second terminal, sending a response to said accessrequest to an authentication server of said platform; and (C)—in theauthentication server, when a response to the access request isreceived, verifying the identifier of the subscriber to said secondnetwork, and validating or not validating access to the database by thefirst terminal according to the result of said verification; said methodfurther including a preliminary operation of loading and displaying inthe first terminal a web page for access to the authentication server ofsaid platform, and in which: said web page for access to theauthentication server of the service platform, displayed on a screen ofthe first terminal, represents a two-dimensional code automaticallygenerated by the authentication server when said web page is downloaded;and act (A) of transmitting information representative of a request foraccess to said database from the first terminal to the second terminalcomprises transmitting said two-dimensional code to a softwareapplication installed in the second terminal.